<html>
<head><meta charset="utf-8"><title>Unsafe code reviews? · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html">Unsafe code reviews?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="168711635"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168711635" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168711635">(Jun 21 2019 at 19:59)</a>:</h4>
<p>Is this a place where people should post unsafe code that they want to have inspected for validity? Or is there some other place that's better?</p>



<a name="168713277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168713277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168713277">(Jun 21 2019 at 20:21)</a>:</h4>
<p>I can’t say that this is the <em>goal</em> of this stream, but I do use it a bit like that. Generally my hope is to provide some interesting “real world” test cases to the UCG group. They would then take them and make actual guidelines and produce a beautiful book like thing, and then I just read that and run Miri and never bother anyone.</p>
<p>We aren’t quite at the last step yet… <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="168713436"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168713436" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168713436">(Jun 21 2019 at 20:23)</a>:</h4>
<p>Yes, if you have some question that you can reduce to a small example of unsafe code, this stream is a good place to ask.<br>
That's not the same thing as code review though. Speaking just for myself, I cannot provide review-as-a-service, that's just too time consuming.</p>



<a name="168801515"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168801515" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168801515">(Jun 23 2019 at 17:30)</a>:</h4>
<p>I'm trying to review very popular crates with <code>unsafe</code> with them right now, so cannot help here. If I were you I'd post to <a href="http://reddit.com/r/rust/" target="_blank" title="http://reddit.com/r/rust/">http://reddit.com/r/rust/</a> - that usually does the trick when I need input on something</p>



<a name="168801957"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168801957" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168801957">(Jun 23 2019 at 17:45)</a>:</h4>
<p>I've been looking at DEFLATE decoders and the situation there is quite sad. In <code>libflate</code>(7500 downloads/day) almost every single unsafe block I looked at was unsound, and I've inspected less than half of the crate. Issues that still aren't fixed:<br>
<a href="https://github.com/sile/libflate/issues/31" target="_blank" title="https://github.com/sile/libflate/issues/31">https://github.com/sile/libflate/issues/31</a><br>
<a href="https://github.com/sile/libflate/issues/33" target="_blank" title="https://github.com/sile/libflate/issues/33">https://github.com/sile/libflate/issues/33</a><br>
Then there is <code>miniz_oxide</code>(6000 downloads/day) which I've just started reviewing, but the second unsafe block I looked at had buffer overflow on write in it: <a href="https://github.com/Frommi/miniz_oxide/pull/47" target="_blank" title="https://github.com/Frommi/miniz_oxide/pull/47">https://github.com/Frommi/miniz_oxide/pull/47</a> (fix still unreleased)<br>
Plus there is something much more interesting going on with a segfault on panic (<a href="https://github.com/Frommi/miniz_oxide/issues/14" target="_blank" title="https://github.com/Frommi/miniz_oxide/issues/14">https://github.com/Frommi/miniz_oxide/issues/14</a>) and also some type confusion issues that are beyond me (<a href="https://github.com/Frommi/miniz_oxide/pull/36" target="_blank" title="https://github.com/Frommi/miniz_oxide/pull/36">https://github.com/Frommi/miniz_oxide/pull/36</a>)<br>
And this is the code that's exposed to untrusted input from the network through <code>reqwest</code> <span aria-label="disappointed" class="emoji emoji-1f61e" role="img" title="disappointed">:disappointed:</span></p>



<a name="168803680"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168803680" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168803680">(Jun 23 2019 at 18:37)</a>:</h4>
<p>The only silver lining is that there is a DEFLATE decoding crate called <code>inflate</code> that is slower and less popular, but has only one unsafe block, and we've already found and fixed the vulnerability in that one. Plus I have an RFC open that will make its only bespoke unsafe block redundant:<br>
<a href="https://github.com/rust-lang/rfcs/pull/2714" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2714">https://github.com/rust-lang/rfcs/pull/2714</a></p>



<a name="168804701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168804701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168804701">(Jun 23 2019 at 19:08)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I was actually gearing up to make a core-only Deflate lib (which I need for my core-only PNG parser lib), so perhaps you can provide guidance in that area once I read the spec closely enough and have something to show. Unfortunately I've never done Huffman stuff before so it's a slow start at the moment, but Soon(tm).</p>



<a name="168804774"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168804774" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168804774">(Jun 23 2019 at 19:10)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> oh wow that's pretty sad :(</p>



<a name="168804827"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168804827" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168804827">(Jun 23 2019 at 19:12)</a>:</h4>
<p>do you have any ideas for how to avoid unsoundness from creeping back in after the blocks you looked at got fixed? You seem to push for being able to express more things in safe code without a performance hit, but what about cases where that is not possible?</p>



<a name="168804890"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168804890" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168804890">(Jun 23 2019 at 19:14)</a>:</h4>
<p>Actually, the C implementation of miniz only ever used the stack, Rust impl then put some things in <code>Box&lt;&amp;[u8]&gt;</code> because the compiler was not great at optimizing out stack copies. Perhaps you will be able to adapt miniz_oxide, it's easier than starting from scratch.<br>
I don't think I can offer much help on DEFLATE specifically because I was only ever doing the following:<br>
1. Fuzz the crate through its public API<br>
2. Once all the bugs found by fuzzing are fixed, grep for <code>unsafe</code> and try to check if it's sound.<br>
3. If nothing obviously wrong turns up, try to refactor it into safe Rust without losing performance.<br>
So I have only a very cursory idea of what DEFLATE does. I know it has RLE in it which is impossible to implement safely and efficiently right now (hence my RFC to fix that), but that's about it.</p>



<a name="168805168"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805168" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805168">(Jun 23 2019 at 19:25)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> open Rust RFCs to make it possible.<br>
What other options do we have... well, fuzzing with ASAN or running fuzz corpus through MIRI on CI helps, but is not a silver bullet because those are dynamic analyzers, they need an input that would trigger the bug.<br>
Having a sound security-oriented static analyzer would be rad, but that's what borrow checker is. Also Prusti, but that also only works with safe code. I doubt people would bother with something like KLEE, and I don't think such a tool even exists for Rust at this point.<br>
Heuristic static analyzers could help but are also not a silver bullet.<br>
So... I guess open Rust RFCs to make it possible is actually the best option. Followed by putting the code in a crate if it's too niche and then reusing that one crate, and hoping that somewhere, somebody has audited it. <code>cargo-crev</code> might help in that regard.</p>



<a name="168805219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805219">(Jun 23 2019 at 19:26)</a>:</h4>
<p>So basically my approach is "write and audit once" over "everyone rolls their own <code>unsafe</code>", and I have a hard time imagining a case where it's flat out impossible. Can you provide some examples?</p>



<a name="168805475"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805475" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805475">(Jun 23 2019 at 19:35)</a>:</h4>
<p>I was mostly wondering if you had encountered such an example :) You have certainly seen much more unsafe code in the wild than I did.</p>



<a name="168805484"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805484" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805484">(Jun 23 2019 at 19:36)</a>:</h4>
<p>(and btw, if you could leave some advise/notes/lessons learned at <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/146" target="_blank" title="https://github.com/rust-lang/unsafe-code-guidelines/issues/146">https://github.com/rust-lang/unsafe-code-guidelines/issues/146</a>, that would be great)</p>



<a name="168805544"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805544" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805544">(Jun 23 2019 at 19:37)</a>:</h4>
<p>In terms of what to do, beyond tooling I was also thinking of better docs/books/tutorials/whatever. Do you feel the issues arise because people don't understand what they are supposed to do? That's a point I am worried about in particular for the more subtle things, like how to handle uninitialized memory. Though the first PR you linked actually had a <code>TODO: audit this</code> in there, so in that case documentation probably was not the problem. ;)</p>



<a name="168805838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805838">(Jun 23 2019 at 19:47)</a>:</h4>
<p>OOooh hey look, a use-after-free in <code>smallvec</code>: <a href="https://github.com/servo/rust-smallvec/issues/148" target="_blank" title="https://github.com/servo/rust-smallvec/issues/148">https://github.com/servo/rust-smallvec/issues/148</a></p>



<a name="168805881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168805881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168805881">(Jun 23 2019 at 19:48)</a>:</h4>
<p>/facepalm</p>



<a name="168806124"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168806124" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168806124">(Jun 23 2019 at 19:57)</a>:</h4>
<p>Aaand another one: <a href="https://github.com/servo/rust-smallvec/issues/149" target="_blank" title="https://github.com/servo/rust-smallvec/issues/149">https://github.com/servo/rust-smallvec/issues/149</a><br>
This one looks non-Rust-specific, just general faulty logic.</p>



<a name="168806653"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168806653" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168806653">(Jun 23 2019 at 20:15)</a>:</h4>
<p>Sorry, had an "Ooh, shiny!" moment. Back to your question.<br>
So far the majority of bugs that I've seen are pretty basic logic bugs in unsafe code, like the smallvec issues above. See also <a href="https://rustsec.org/advisories/" target="_blank" title="https://rustsec.org/advisories/">https://rustsec.org/advisories/</a> - that too lists mostly basic stuff like logic errors in unsafe code.<br>
The only one I can think of that is trickier is <a href="https://github.com/servo/rust-smallvec/issues/96" target="_blank" title="https://github.com/servo/rust-smallvec/issues/96">https://github.com/servo/rust-smallvec/issues/96</a> - this is an interaction between unsafe code, iterators and panics. But it is pretty hard to trigger in practice.<br>
However, I am incapable of detecting such bugs, so no wonder I've never found any them. It seems likely other people also have a much better understanding of manipulating the heap with raw pointers in a loop than of the invariants that iterators need to uphold and how that might cause a double-free for non-Copy types. So I'd wager that such bugs are simply undetected instead of nonexistent.<br>
Although I see a lot less unsafe code dealing with iterators than with plain old memory regions.</p>



<a name="168806740"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168806740" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168806740">(Jun 23 2019 at 20:17)</a>:</h4>
<p>I feel that a guide on interacting with iterators from unsafe code in a sound fashion would be helpful, along with a testsuite of "evil" iterators that trigger the non-obvious edge-cases. For example, I have only learned about the set-len-on-drop trick from the SmallVec bug; I don't think there are any docs on that, although I admit I didn't read the Nomicon too closely.</p>



<a name="168806803"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168806803" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168806803">(Jun 23 2019 at 20:19)</a>:</h4>
<p><strong>A testsuite of evil iterators</strong> actually sounds like a great idea. Say, a panicking iterator over an non-Copy type (potential double-free), an iterator that lies about its length (potential out-of-bounds), and probably a lot more evil stuff that I'm not aware of.</p>



<a name="168806809"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168806809" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168806809">(Jun 23 2019 at 20:19)</a>:</h4>
<p>Also, it's not common knowledge that passing a buffer of uninitialized memory to <code>read(&amp;mut self, buf: &amp;mut [u8])</code>provided by an arbitrary <code>Read</code> implementation is actually UB. But this is a pretty clearly missing abstraction - Vec-like view of a fixed-capacity buffer. There is even a crate to solve that, see <code>buffer</code>, but nobody knows about it and so nobody uses it.</p>



<a name="168806857"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168806857" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168806857">(Jun 23 2019 at 20:20)</a>:</h4>
<p>So in more general terms, I think the clarity on what invariants various non-trivial Rust facilities are supposed to uphold would be great, especially if they come with a testsuite exercising unexpected but valid edge cases.</p>



<a name="168808650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168808650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168808650">(Jun 23 2019 at 21:20)</a>:</h4>
<p>Thanks a lot, that's useful feedback!</p>



<a name="168808653"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168808653" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168808653">(Jun 23 2019 at 21:20)</a>:</h4>
<blockquote>
<p>it's not common knowledge that passing a buffer of uninitialized memory to read(&amp;mut self, buf: &amp;mut [u8])provided by an arbitrary Read implementation is actually UB. But this is a pretty clearly missing abstraction - Vec-like view of a fixed-capacity buffer. There is even a crate to solve that, see buffer, but nobody knows about it and so nobody uses it.</p>
</blockquote>
<p>Isn't the missing abstraction here basically out pointers, related to placement-new? That has a loooong history though...</p>



<a name="168808715"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168808715" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168808715">(Jun 23 2019 at 21:23)</a>:</h4>
<p><a href="https://crates.io/crates/buffer" target="_blank" title="https://crates.io/crates/buffer">https://crates.io/crates/buffer</a> seems good enough to me. This is like a Vec over a fixed-size backing allocation.</p>



<a name="168808902"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168808902" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168808902">(Jun 23 2019 at 21:29)</a>:</h4>
<p>doesn't look very maintained though...</p>



<a name="168808966"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168808966" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168808966">(Jun 23 2019 at 21:31)</a>:</h4>
<p>it also seems to do a lot of things like create references to uninitialized data and the like that is not actually allowed...</p>



<a name="168808973"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168808973" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168808973">(Jun 23 2019 at 21:31)</a>:</h4>
<p>Yeah frankly I expected something like that when somebody said "hey look I made a data structure", but never had the time to look</p>



<a name="168809020"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809020" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809020">(Jun 23 2019 at 21:33)</a>:</h4>
<p>But! We have a (hopefully) sound prototype that works for Vec only: <a href="https://github.com/WanzenBug/rust-fixed-capacity-vec" target="_blank" title="https://github.com/WanzenBug/rust-fixed-capacity-vec">https://github.com/WanzenBug/rust-fixed-capacity-vec</a></p>



<a name="168809077"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809077" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809077">(Jun 23 2019 at 21:35)</a>:</h4>
<p>This lets you temporarily view Vec with a frozen capacity. If you try to trigger reallocation it panics. This allows two interesting things:<br>
1. Appending to Vec while parts of it are borrowed<br>
2. Solves the "output reference" problem by being a fixed-capacity buffer that does not expose uninitialized data for reading</p>



<a name="168809081"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809081" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809081">(Jun 23 2019 at 21:35)</a>:</h4>
<p>I like the API for <code>buffer</code> crate a lot more though. Mostly because it's not restricted to Vec</p>



<a name="168809084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809084">(Jun 23 2019 at 21:35)</a>:</h4>
<p>Oh and please report a bug on <code>buffer</code> if it does something illegal</p>



<a name="168809128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809128">(Jun 23 2019 at 21:36)</a>:</h4>
<p>maybe I should start using <code>cargo-crev</code> because I have so much "don't use this!" feedback to share with people lately</p>



<a name="168809252"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809252" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809252">(Jun 23 2019 at 21:41)</a>:</h4>
<p>Not sure what kind of unsafe code I can contribute to <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/146" target="_blank" title="https://github.com/rust-lang/unsafe-code-guidelines/issues/146">https://github.com/rust-lang/unsafe-code-guidelines/issues/146</a> that you wouldn't find by grepping <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a>, so replied to it with some sample bugs in unsafe code instead.</p>



<a name="168809986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168809986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168809986">(Jun 23 2019 at 22:05)</a>:</h4>
<p>Oh. I got confused by the "Canvas" term. I get it now - you want to know why people choose to use <code>unsafe</code>. Yeah, I've been wondering about that too - and actually contemplated starting a "libs blitz"-like effort to map it, where possible convert it to safe, where impossible understand why. But now that I've looked at DEFLATE decoders I've realized that safe abstractions for almost everything are already present in stdlib, but were added so recently that for crates with any Rust version compatibility guarantees at all it's impossible to use them. For example, <code>to_le_bytes</code> requires 1.32 while using <code>from_le_bytes</code> on a slice also needs <code>TryFrom</code> which requires is 1.34<br>
So my current thinking is to let things settle down, wait for debian stable to ship 1.34 and then incite The Great Unsafe Purge. This should be happening sometime this year.</p>



<a name="168813587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168813587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168813587">(Jun 24 2019 at 00:06)</a>:</h4>
<p>I would say that my main uses of unsafe are: (1) FFI, recently specifically SDL2 bindings that I wrote myself because the commonly used <code>sdl2</code> crate isn't good enough (definitely has leaks, might be unsound?), (2) GBA programming where Rust just doesn't offer safe abstraction (because it honestly can't, no fault here), (3) building an abstraction in Rust for a normal computing situation because the core/std lib just doesn't offer what I want.</p>
<p>Case 3 can't be avoided because the standard lib specifically chooses to keep out code and let crates try it out until a clear winning style is hit upon.</p>



<a name="168829382"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168829382" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168829382">(Jun 24 2019 at 07:52)</a>:</h4>
<blockquote>
<p>Oh and please report a bug on <code>buffer</code> if it does something illegal</p>
</blockquote>
<p>well it's one of those "we haven't specified it as legal yet and would like to keep the option of declaring it illegal -- but it won't cause any issues in <em>current</em> compiler versions"</p>



<a name="168880476"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168880476" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168880476">(Jun 24 2019 at 20:01)</a>:</h4>
<p><span class="user-mention" data-user-id="224471">@Lokathor</span> <a href="https://github.com/image-rs/inflate" target="_blank" title="https://github.com/image-rs/inflate">https://github.com/image-rs/inflate</a> this actually has core-only mode, and it's already used as the DEFLATE implementation in the <code>png</code> crate. This implementation is also safe to the best of my knowledge - we've already found and fixed the bug in its only unsafe block. Its only problem is that it's slow, but perhaps you'll be able to optimize it. It's definitely a better use of your time than writing the fourth DEFLATE decompressor.</p>



<a name="168880597"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168880597" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168880597">(Jun 24 2019 at 20:02)</a>:</h4>
<blockquote>
<p>we've already found and fixed the bug in its only unsafe block</p>
</blockquote>
<p>so we have a limit of one bug per block? ;)</p>



<a name="168880810"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168880810" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168880810">(Jun 24 2019 at 20:05)</a>:</h4>
<p>I don't see a way to make it no_std in that crate. Either way, I'm going to do it myself at some point and if it's only for educational purposes that's fine.</p>



<a name="168881541"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168881541" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168881541">(Jun 24 2019 at 20:15)</a>:</h4>
<p>Ugh, "the" is wrong here. Sorry, English is not my native tongue. "A bug" would be more appropriate. But yeah, there could be more vulns lurking in there.</p>



<a name="168881628"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168881628" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168881628">(Jun 24 2019 at 20:16)</a>:</h4>
<p>It says:</p>
<blockquote>
<p>Finally, if you need even more flexibility, or if you only want to depend on core, you can use the inflate::InflateStream API. The below example decodes an array of DEFLATE encoded bytes:</p>
</blockquote>
<p>but IDK, maybe they need <code>alloc</code> too.</p>



<a name="168881947"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168881947" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168881947">(Jun 24 2019 at 20:20)</a>:</h4>
<p>separate from that, there's no feature for the crate to be <code>no_std</code>, so it'll pull in std just by that.</p>



<a name="168884794"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168884794" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168884794">(Jun 24 2019 at 21:00)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> you mentioned seeing several occurrences of <code>read</code> being called in a generic way with an uninitialized buffer... here's my attempt to improve the docs to call this out as illegal: <a href="https://github.com/rust-lang/rust/pull/62102" target="_blank" title="https://github.com/rust-lang/rust/pull/62102">https://github.com/rust-lang/rust/pull/62102</a></p>



<a name="168884989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168884989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168884989">(Jun 24 2019 at 21:03)</a>:</h4>
<p>At a glance it is not obvious to me who the "user of a trait" is. How about "it is responsibility of the code calling this function" ... to initialize the buffer?</p>



<a name="168885362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168885362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168885362">(Jun 24 2019 at 21:09)</a>:</h4>
<p>Actually, I've just gone ahead and suggested a replacement for that entire paragraph. But I'm slightly sleep-deprived so don't 100% trust my judgment.</p>



<a name="168888001"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168888001" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168888001">(Jun 24 2019 at 21:48)</a>:</h4>
<p>I've added zero-initialization to growing a Vec and that made the entire decoding process 5% <strong>faster!</strong> What kind of sorcery is this?! <a href="https://github.com/sile/libflate/pull/34/files" target="_blank" title="https://github.com/sile/libflate/pull/34/files">https://github.com/sile/libflate/pull/34/files</a></p>



<a name="168888107"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168888107" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168888107">(Jun 24 2019 at 21:50)</a>:</h4>
<p>I know <code>vec![len; 0];</code> actually requests zeroed memory from the OS, but in here initializing the vector with zeroes is NOT supposed to be faster than simply writing to a slice of uninitialized memory!</p>



<a name="168888264"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168888264" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168888264">(Jun 24 2019 at 21:52)</a>:</h4>
<p>er, <code>vec![0; len]</code> :)</p>



<a name="168888382"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168888382" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168888382">(Jun 24 2019 at 21:54)</a>:</h4>
<p>Tests still pass, I've checked</p>



<a name="168888914"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168888914" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168888914">(Jun 24 2019 at 22:02)</a>:</h4>
<p>Yup, it produces the exact same output, but 5% faster. I'm glad, but... WHY?!</p>



<a name="168889207"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe%20code%20reviews%3F/near/168889207" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Unsafe.20code.20reviews.3F.html#168889207">(Jun 24 2019 at 22:07)</a>:</h4>
<p>LLVM may be able to optimise better with knowledge that the buffer is 0-ed rather than undef by e.g. not being too careful about reading uninitialized data when doing certain operations and simd-ing everything together</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>